· 6 years ago · Dec 06, 2019, 01:00 AM
1<?php
2/*
3 * Written By: ShivalWolf
4 * Date: 2011/06/03
5 * Contact: Shivalwolf@domwolf.net
6 *
7 * UPDATE 2011/04/05
8 * The code now returns a real error message on a bad query with the mysql error number and its error message
9 * checks for magic_quotes being enabled and strips slashes if it is. Its best to disable magic quotes still.
10 * Checks to make sure the submitted form is a x-www-form-urlencode just so people dont screw with a browser access or atleast try to
11 * Forces the output filename to be JSON to conform with standards
12 *
13 * UPDATE 2011/06/03
14 * Code updated to use the Web Module instead of tinywebdb
15 *
16 * UPDATE 2013/12/26 and 2014/02/18
17 * minor modifications by Taifun, puravidaapps.com
18 *
19 * UPDATE 2014/07/11
20 * mysql API (deprecated) replaced by mysqli by Taifun
21 *
22 * UPDATE 2015/04/30
23 * SELECT logic adjusted (result stored in temp. file removed) by Taifun
24 *
25 * UPDATE 2016/02/21
26 * Bugfix Undefined variable: csv
27 */
28
29/************************************CONFIG****************************************/
30//DATABSE DETAILS//
31$DB_ADDRESS="localhost";
32$DB_USER="id11127954_boina";
33$DB_PASS="boina";
34$DB_NAME="id11127954_boina";
35
36//SETTINGS//
37//This code is something you set in the APP so random people cant use it.
38$SQLKEY="secret";
39
40/************************************CONFIG****************************************/
41
42//these are just in case setting headers forcing it to always expire
43header('Cache-Control: no-cache, must-revalidate');
44
45error_log(print_r($_POST,TRUE));
46
47if( isset($_POST['query']) && isset($_POST['key']) ){ //checks if the tag post is there and if its been a proper form post
48 //set content type to CSV (to be set here to be able to access this page also with a browser)
49 header('Content-type: text/csv');
50
51 if($_POST['key']==$SQLKEY){ //validates the SQL key
52 $query=urldecode($_POST['query']);
53 if(get_magic_quotes_gpc()){ //check if the worthless pile of crap magic quotes is enabled and if it is, strip the slashes from the query
54 $query=stripslashes($query);
55 }
56 $conn = new mysqli($DB_ADDRESS,$DB_USER,$DB_PASS,$DB_NAME); //connect
57
58 if($conn->connect_error){ //checks connection
59 header("HTTP/1.0 400 Bad Request");
60 echo "ERROR Database Connection Failed: " . $conn->connect_error, E_USER_ERROR; //reports a DB connection failure
61 } else {
62 $result=$conn->query($query); //runs the posted query
63 if($result === false){
64 header("HTTP/1.0 400 Bad Request"); //sends back a bad request error
65 echo "Wrong SQL: " . $query . " Error: " . $conn->error, E_USER_ERROR; //errors if the query is bad and spits the error back to the client
66 } else {
67 if (strlen(stristr($query,"SELECT"))>0) { //tests if it's a SELECT statement
68 $csv = ''; // bug fix Undefined variable: csv
69 while ($fieldinfo = $result->fetch_field()) {
70 $csv .= $fieldinfo->name.",";
71 }
72 $csv = rtrim($csv, ",")."\n";
73 echo $csv; //prints header row
74 $csv = '';
75
76 $result->data_seek(0);
77 while($row = $result->fetch_assoc()){
78 foreach ($row as $key => $value) {
79 $csv .= $value.",";
80 }
81 $csv = rtrim($csv, ",")."\n";
82 }
83 echo $csv; //prints all data rows
84 } else {
85 header("HTTP/1.0 201 Rows");
86 echo "AFFECTED ROWS: " . $conn->affected_rows; //if the query is anything but a SELECT, it will return the number of affected rows
87 }
88 }
89 $conn->close(); //closes the DB
90 }
91 } else {
92 header("HTTP/1.0 400 Bad Request");
93 echo "Bad Request"; //reports if the secret key was bad
94 }
95} else {
96 header("HTTP/1.0 400 Bad Request");
97 echo "Bad Request";
98}
99?>